Dear all, Many, many thanks to everyone that has replied to me on this - there are just far too many for me to thank individually, or list here. Basically the machines in question have been hacked into, and the ls command replaced with one that hides files with a 01 in them. References: http://www.cert.org/CA-2001-05.html SUMAMRY: root-compromised systems -- a warning (from this archive) regards, Mark Mark King wrote: > Dear all, > > I'm encountering a very strange problem on two boxes, both running Solaris > 2.7 (one's an Ultra 2 running DiskSuite, the other an Ultra 10, plain ufs). > > There are files location in certain directories that I can copy move, and > display, but ls -la just will not show them. > > eg. In the directory Z, here is the following output from various commands: > > bash-2.03$ ls -la > total 382964 > drwxr-xr-x 2 markk technology 512 Apr 17 17:00 . > drwxrwxr-x 17 weblogic technology 1536 Apr 17 12:09 .. > -rw-r--r-- 1 markk technology 60064608 Apr 17 12:09 > file1.ext1.ext2.ext3 > > (* It only displays the one file *) > > bash-2.03$ ls (then pressing TAB twice) > file1.ext1.ext2.ext3 zip12042001_DB.dmp.gz zip16042001_EJB.tar.gz > zip12042001.tar.gz zip12042001_EJB.tar.gz zip17042001.tar.gz > zip12042001.tgz zip16042001.tar.gz zip17042001_Beans.tar.gz > zip12042001_Beans.tar.gz zip16042001_Beans.tar.gz zip17042001_EJB.tar.gz > > (* So it knows the zip files are there *) > > bash-2.03$ ls zip* > bash-2.03$ ls -la zip* > total 382964 > (* both of these do not complain, as the files do exist, but it does > not display them *) > > bash-2.03$ ls not-here* > not-here*: No such file or directory > (* expected return *) > > bash-2.03$ ls -la not-here* > not-here*: No such file or directory > (* expected return *) > > Has anyone else encountered these problems before? > I haven't been able to find anything on Sunsolve, sunhelp etc so far. > > many thanks for any adivce, > cheers, > Mark > > Senior Systems Administrator > ____________________________________________________________________ > http://www.akqa.com > mailto:mark.king@akqa.com > T: + 44 (0)20 7494 9200 > F: + 44 (0)20 7494 9300 > AKQA, Princes House, 38 Jermyn Street, St James's, London, SW1Y 6DN, UK. > > Confidentiality notice: > The information transmitted in this email and/or any attached document(s) is > confidential and intended only for the person or entity to which it is > addressed and may contain privileged material. Any review, retransmission, > dissemination or other use of, or taking of any action in reliance upon this > information by persons or entities other than the intended recipient is > prohibited. If you received this in error, please contact the sender and > delete the material from any computer. > > ------------------------------------------------------------------------Received on Wed Apr 18 09:10:27 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:53 EDT